Slashdot Mirror
Distributed TiVo Code Cracking
Twostep writes "With the newest version of the TiVo software (Version 3.2), TiVo has once again changed the secret password to enter "backdoor" mode, which lets advanced users enable hidden features. Unlike last time, people were not able to quickly find the new code, so a distributed computing project was started to find the backdoor codes. You can read about it Here, grab the Linux or Windows clients and pitch in some CPU time for a good cause."
How long was it last time? Is it just a random 20 chars of letters or what?
Is it updated via modem? if so, why not tap your own line!
i don't have a TiVo... nor... well yes I have a modem but it is currently being used as a paperweight...
But couldn't we get one of these software modems to just listen in on the other trafic?
I suspect that some Satelite TV companies do their stuff over the satelite... and some do it over the modem... either way, If I buy something... it's mine... No bugger is going to get away with deactivating it on me...
Please use [ informative / summarizing ] SUBJECT LINES
Flame me here
good cause?
How is this a good cause? I am asking out of sheer curiosity, not against the statement. If there is a legitimate reason to cracking it, then can someone point me to some literature about this subject, or just explain to me why TiVo deserves to be cracked in this manner???
I'm just confused, sounds like this is cracking, and last time I checked thats a pretty illegitimate thing to do, even advocate.
And when are we going to stop giving a damn about consumer gizmos running embedded linux, as long as the actual interesting functions are in some closed application running in the box? The interesting gadgets are the ones that are fully hackable, so the application code comes with source and is easy to customize. Freevo might be a start at a hackable PVR.
You cannot buy a 2003 ford mustang, remove the muffler, and drive around at 3am generating 100db of sound. Yes, it's your hardware, but rules exist to further a public good--a (relatively) pollution and noise free environment.
Similarly, laws exist that say that you cannot circumvent pretction mechanisms such as that on the tivo.
Why? because, again, there is a public good involved, but this one is subtler. It's the public good of a business climate where companies make products and services using a variety of business models and people buy them and use them in a manner consistent with widely-held notions of fairness.
the alternative is a world where prices are higher / options are fewer because companies would have to hedge against unauthorized uses.
of course, for some businesses, it turns out to be beneficial that there is a user commuity that likes to hack around. but it's up for the company to decide whether that is, indeed, the case as far as it is concerned.
cause there simply is no alternative. 90% of all consumers are totally in the dark about anything that involves technology. So business run flashy ads and salespeople move the product. It simply is not economically sound for these companies to appease this small percentage of technologically literate consumers. So in the end it is the people who really will use the device to its fullest extent that get the shaft.
why can't you use the gpu in most people machines to crack these things. It seems to me that they would work just as well as normal processors in cracking codes. Why not use both cpu and gpu processing power to crack these things.
This isn't true, unfortunately. When the implementations of strong hash checking are done properly (everything in one chip, ROM a la Xbox), they WILL succeed in locking everyone else out without very expensive hacks.
Personally I think new law is needed to render this illegal, unless it is under the control of the user.
If you think that sounds extreme, consider that the persistent state for all copyrighted works is that they are in the public domain. It is a temporary aberration of a few years that the works are allowed to be held privately. After that they are meant to be available for everyone. As it is these encrypted fortresses inside consumer products will never yield up their secrets.
I'm sure someone out there can whip up a FreeBSD port without too much trouble...or at least some precompiled Linux binaries that I could run on my FreeBSD boxes...
Is this a violation of the DMCA? Are the project and its participants likely to be prosecuted as such?
Please note, I did, follow the link and read the linked discussion, but saw no sign of this information.
Russ
Information doesn't want to be anthropomorphized anymore.
You cannot buy a 2003 ford mustang, remove the muffler, and drive around at 3am generating 100db of sound.
You can't bludgeon someone to death with a Tivo either, but that doesn't make it any less a specious analogy.
No one has a right to a profitable business model, and the power grab by content manufacturers has no more or less moral authority than the resistance of people using piracy. They rationalize that behavior because the corporations themselves are already trampling on the "widely held notions of fairness".
This isn't true, unfortunately. When the implementations of strong hash checking are done properly (everything in one chip, ROM a la Xbox), they WILL succeed in locking everyone else out without very expensive hacks.
Personally I think new law is needed to render this illegal, unless it is under the control of the user.
while i concur that the notion of a company removing or limiting features after the purchase of a product is disagreeable, you are incorrect in citing the xbox as a 'hack-proof' design. The gamecube actually has the design you are referring to, where the bios and many/most/all security measures are contained in a single, integral chip such as the CPU, or the graphics chip as is the case with the gamecube iirc.. the gamecube media also contributes to the difficult of hacking the unit to run anything other than nintendo authorized games.
the xbox has been modded to the point where you can not only run games from different territories, you can actually run ftp clients on it and download games and movies onto an upgraded 120gb HDD and play them directly from disc. in the current hardware, the bios chip is seperate from other (more expensive and customized) hardware. the common media and seperate security measures (unencrypted signals travel an accessable path at one point) contribute to the xbox having been hacked.
that said, i believe your proposed legislation would be difficult to implement for at least two reasons; one being that you likely purchase a license to the software rather than the software itself. I guess you could still try and legislate acceptable license terms, but even then the definition of a 'good' or 'bad' feature being added to or removed from a product may be a matter of perspective.
and visit my website goddammit!!@!
full length albums complete with print resolution artwork -- earth2willi.com
I agree, it wouldn't be very nice to set fire to my Tivo and throw it through your window. Conversely if I rip the silencer off my motor, it would be perfectly OK to drive it around on private land (with permission) 20 miles from the nearest inhabitant (in the UK at least).
One reason I may want to mod the box is this: consider that maybe I want to use and pay for the Tivo service but I also want to add some random feature. That would be in the same league as installing an amp in my car or whatever. I do not expect to have to ask the manufacturer's permission to disassemble my dashboard.
The other reason I may want to crack the unit is that it's my box - I paid for it, I own it, it's on my property.
I take on board your argument supporting varying business models - but I hold that the business model is flawed. Sell the box at a profit and discount the service. In a way Tivo's business model is basically parallel to the "loss-leader" trick employed by supermarkets. They offer something at an attractive discount (actually with a negative profit margin) in the hope that I will buy other products. However, it is perfectly reasonable for me to isolate all the loss leaders and buy them and nothing else, thus making a loss for the company. That's the risk they took. On average it works out well for them (or they'd stop doing it).
I'm sorry - if Tivo want to guarantee that I will buy their service, they shouldn't sell the box on it's own. Or they shouldn't at least sell it at a loss. I can buy a phone without a phone line or rent a phone line without a phone. It would be silly, but I can do it and it doesn't cause the telco or the phone makers any problems.
I generally subscribe to the view "What I own I can take the lid off and poke around" as a starting point. I am very much against any business model which is so flimsy that it needs laws like the DMCA to support it.
All of which is why I've added 2 machines at home to the cracking pool :-)
Sod the DMCA and everything like it in Europe!
Best, Timbo
Why can't women be like Hedy Lamarr - beautiful, talented and inventors of frequency-hopping spread-spectrum techn
I find it amazing that Tivo appologists fall for this type of tactic. The only reason they do is that they have not woken up to the fact that Tivo is not the only maker of PVRs.
I do not expect Tivo to survive. The clueless business model only works if there is no competition. There is plenty of competition in the space and that is only going to increase. Nobody succeeds with a razor and blades business model (the Tivo subscription) when there is a cheaper option flat fee.
Every one of the clueless 'I just want 0.01% of every transaction on the net' payment schemes failled miserably.
But every time we have a Tivo story the Tivo heads rush in to explain why everyone should pay twice the going rate for the technology. It is as pathetic as the Apple appologists, 'Macs are fastest, speed is what matters, buy a Mac, oops they are no longer fastest, well it isn't just CPU power that matters, its benchmarks, no its the pretty case'. Apple's price gouging and constant interface changing games to make old peripherals obsolete should be criticised as much as if not more than Microsoft's tactics. But they get away with it.
I don't want the video to decide what to record, I do that. I want a recorder with a removable disk so that the thing is not always full. There is an interesting port on the back of my DishPlayer PVR, anyone know what it does?
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
It would be appropriate to note that this "crack" doesn't allow you to obtain free service, and that this has never been about free service. It's just about the ability to modify your Tivo, install cool things like TivoNet cards and so forth. Tivo keeps making this more difficult with every release. And each time it wears away a bit of community goodwill, which is sad because its this thriving community on which Tivo has built a business.
OK, this is almost certainly a really dumb question - but why can't we just put our own hash into the system?
SIG: HUP
Because Tivo doesn't really care. They are doing this, probably, so that they can safely say that joe average doesn't have these features.
Do you think they are so stupid as to think that the community won't crack this? of course they know it will.. the point is that they be seen as shipping a product with these features disabled.
If it's too easy, and already public knowledge, they will change it, otherwise they could be seen as supporting those features, and could end up in court. Forcing peopel to go through this kind of crap makes it so it's easy for them to point out that it's unsupported, not part of their main product, etc.
And therin lies the rub.
.sig if it weren't for the wimpy length limit).
90% of what people bitch about here on slashdot is the direct result of 90% of all consumers being totally in the dark about anything that involves technology. (Man, that would make a great
There are a few potential solutions to this problem:
1. Education - all children should be taught critical thinking, the scientific method, electronics and computers right next to reading, writing, and 'rithmatic. (yeah, like that's ever going to happen in this world - most people in the world are functionally illiterate, because their governments don't fund public education, etc. - in the US, we're lucky if some districts cram creationism down our throats - and between security checks for guns and bombs, drug dealers, gangs, football, etc - Education, will never ever happen).
2. Technocracy - Establish a ruling class of technologically savvy people (who rightfully deserve it!) to lead the unwashed masses into a glorious enlightened future. (this will occur moments after the current monied establishment all keels over from a deadly virus spread by contact with $100 bills - ya, right).
3. This is reality, society has reached a stable equilibrium with the ultra-rich running things, and making sure the ultra-stupid stay that way so that they can be kept as cheap, willing slaves and captive consumers of crippled goods.
Sorry to be such a downer, man.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
I think the persistent state for all copyrighted works made after Micky Mouse will continue to be copyrighted...
Disney: "You can have Micky Mouse, when you pry it from my cold dead fingers"
What we see depends on mainly what we look for. -- John Lubbock Now search for that bug slave!
The answer to checking for forged results is to double the workload and submit each workset to two different machines as far away from each other as possible. If the answers agree, accept, otherwise recompute the worksets on more machines and take a majority vote. I thought Seti@Home did something like this?
Looks like /. did them a favour in terms of providing more computing power.
Why can't women be like Hedy Lamarr - beautiful, talented and inventors of frequency-hopping spread-spectrum techn
They have already tried most of the 9-character space to no avail, and every additional character makes the search take 37 times longer. And, as was said numerous times, when they find it, TiVo will just change it again and tack on a couple more characters.
Plus, there is no verification of results, so surely someone will cheat a la SETI@Home just to inflate his score by returning a bunch of bogus results, and the results will be invalid. Worse yet, a truly malicious person could return bad results for a whole lot of valid usernames, and it may be impossible to separate the good results from the bad. (I don't know if the server tracks IP addresses, but those can be spoofed too.)
So, this is kind of futile, but it looks like they're having fun. :-)
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
The code to enable 30-second skips is "select" "play" "select" "3" "0" "select", and does not require the "master back door enable" code referenced by this thread. The "master back door enable" code opens up about two dozen other codes. See the Tivo backdoor page for details.
Think of stuff like drugs, suicide, fictional pornography, and you'll have lots of laws which can get you arrested for doing things in the privacy of your own home. On the other hand, I like to think that the actions are only criminal if you get caught which means, by definition that you are no longer affecting only yourself.
However... I have a theory about this. As an armchair political theorist, I will make the broad statement that capitalism is anti-democratic. In the eyes of government, the will of the corporation has long outweighed the will of the people.
International government power is found in economic well-being and competativeness. Corporations provide that power and are thus more important than citizens.
So if a corporation says "we can be more competative if you support digital-etcetera laws", the government is compelled to assist them. Why? Because if your country slips in the capitalist system, you loose international power.
From this perspective, the Microsoft case was one where the government was torn between defending the internal free market, and defending a great international economic power. From the microscopic perspective... hurting the corporation could do more damage to domestic jobs than could be recovered by a healthy domestic marketplace. A battle between the tangible and immediate (jobs) and the abstract (healthy internal economy).
So do you use government might to empower Disney, Warner Bros and other domestic corporations? or do you risk loosing those corporations in the interest of personal freedom. That is, do you preserve your healthy and powerful global industry at the cost of individual liberties?
What could the people gain by the government supporting individual liberties?
SHA is a stream hash. That means you can do 4 bytes worth, save the state and then cycle through the next 5 bytes much faster. When doing the same thing with md5, you can pre calculate all but the last two bytes and then cycle those real fast.
MD5 uses a table of sine values that it uses. If someone were to make slight changes in thouse tables, then this kind of crack wouldn't work unless the hash as verified. I suspect the same is true for SHA but I haven't looked at that yet.
This is why I sent back the Tivo I ordered (it was Series 2 which to my knowledge has never been successfully hacked ... yet). I don't want to be constantly locked out of my machine when some corporation decides to tighten the screws again by a forced software upgrade. In some sense, TiVo is worse than Microsoft, even though they nominally "support" open source by using Linux. With Windows, I choose when to install the Service Pack update ... at least thus far :)
... don't buy a card with the lower quality VIVO Phillips chip) and a ATI TV-Wonder capture card. Grabbed two old 10Gig drives from another machine and I had something that cost me nothing more than the Series 2 TiVo.
Instead I bought a Pentium IV 2.4, Asus P4PE, 512 333 MB DDR, Leadtek A250 GF4 Ti4200 (which has a Conexant HDTV-capable video out
What software will I run? Well, right now I'm leaning heavily toward MythTV. With this I will eventually be able to surf the web, check email, play games, as well as schedule programs and skip through commercials in TV broadcasts. A few bucks and an afternoon of tinkering will also hopefully allow me to control the channel switching on the digital cable box from the computer's infra-red port.
There is also Freevo, which I may consider looking at if I don't like MythTV, although the activity on the mailing lists indicate that this system is already quite functional for many users.
Hope this is useful to anyone out there still sitting on the fence. I reached my decision after several hours of research on the web. I hope I don't regret it!
Having been running the cracker client all day, it appears two things are limited:
The character set involved is just: ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789
I presume that limited by what you can enter via the Tivo remote (I don't actually have a Tivo).
The experts seem to be pretty sure they are dealing with a SHA1 hash. I'll shut up now as I'm not a crypto expert. The one thing I will say is the character set is *very* limited and favours a brute force attack.
It could be doomed if Tivo used a long string like 20 characters because every extra character requires 37 times as much effort to permute all combinations as was previously required.
It's taking and estimated 3 days to cover the len=9 passwords. So 100-odd days will be needed for the len=10 case.[1][2]
But there will be a limit to the length of the string - the Tivo engineers have to type the bl**dy thing in so I find it hard to believe it's as long as it is.
You might also think that patching the code is viable - I believe you can do that. However I did see some mutterings on a webgroup that Series 2 Tivos are key-signing parts of the system to prevent tampering (so the next job for someone will be hacking the firmware :-)
Best, Timbo
Note: [1] - Assuming no short cuts are used in the scan. Seems pretty linear looking at the logs on my machine.
Note: [2] - Of course, the computing pool is growing steadily.
Why can't women be like Hedy Lamarr - beautiful, talented and inventors of frequency-hopping spread-spectrum techn
Not intending flamebait, but isn't this exactly what we're usually complaining about companies doing? This is one of the highest examples of insecure design. It's not that difficult to remove the backdoor code from the public release, if you code it right to begin with.
No it's not that difficult to remove them. But if you keep the backdoors in, and then wait until the last load before you go GM to remove them, you've just increased the amount of work your QA department has to do. They have to be insanely thorough to make sure that removing of the backdoor code hasn't affected any other code. They're not going to be very happy if you do this at the last minute. And albeit in perfectly designed system, the removal wouldn't affect anything else. But, QA has to do what they have to do. They refuse to make assumptions like that. So now QA has more work to do, which means there's a possibility of the release date being pushed further back (maybe by a week -- but that could push it into the next fiscal quarter, thus screwing up revenues), and now you have shareholders that are unhappy.
Net result? Unhappy engineers (QA for doing more work, devs for having to be "on call"), unhappy customers (people always get upset when they have to wait longer), and unhappy shareholders (they want to see $$$, not QA test results).
If TiVo really wanted to lock people out, they'd disable the backdoors to begin with, and if they really needed to see the logs on a defective unit, they could load it up on a custom system that can pull the logs from the drives after putting them in a read-only configuration.
Yes, they can do that. But, speaking for the QA engineers again, since they're fairly important during the dev cycle... Now, instead of hitting four keys on their remote (clear-enter-clear-thumbs up) to view the log files on their standard system (i.e. you have to test on the exact configuration a customer would have) they now either have to pull the drives out and read the log files on another system (very time consuming just to see one log entry).
They can't very well have a network connection for a couple of reasons. 1- You can't have any daemons running on the TiVo while you're testing it, because the customers won't have them running on their units (i.e. telnet/ftp/etc). Ignoring that, the 2nd issue is that they can't leave the TiVo connected to the network during their tests, because what if that's "altering" the behavior of code -- i.e. a bug only exists when there is no network connection, but a QA tester never notices this because they always have their test station connected so they can view log files through the network. So a bug goes unnoticed, they GM the release, and all of a sudden TiVo's support line is swamped with buggy software reports, and they now have to spend more money rolling out an emergency patch.
Net result? TiVo's not happy (more work/more money spent/public black eye), the customers aren't happy ("This TiVo is a POS! Lets go check out UltimateTV!"), and the shareholders certainly aren't happy.
And quite frankly, I think they also leave the backdoors in for the 'hacker' community. But, they need to protect themself from the 'Joe Blow' community. By doing what is discussed here (changing it to an impossible code for 'Joe Blow' to enter, but allowing a 'hacker' to change it with ease), maybe they've found a nice balance. Aren't we always talking about companies doing something for "us"? Isn't this a case where they're doing something for us? -- leaving in useful utils (log viewer on tv), prototype code (Teach TiVo was very useful, and only available through backdoors), etc.
Then again, I could've been completely off in my original speculation. But the above scenarios of QA are accurate of every software shop I've worked in. You change two bytes in a boot record, and they'll rerun 28 hours of tests that have nothing to do with the boot record, just to make sure there wasn't any code that was dependant on the previous boot record value. And rightfully so, in all honesty.
Distributed computing projects must meet 3 criteria:
1. Non-Profit or I get a piece of the action. Seti@home is non-profit, I get a free gig from easynews for every 15 days I run the UD client screening for Cancer drugs. They both pass this test.
2. Tight well written prefferably small secure code. If a DC client crashes my machine once it is out the door. I hate to be overly sensitive to such issues, but if the programmers tried to keep things small they will have less problems.
3. Must get the hell out of my way without my interferance when I want to do things. I don't want to have to close it when I want to play video games. I know that this seems like a stupid thing to want, but consider what this is saying about how well written the code is?
Now once you give me a client that passes all three of these criteria then who cares if it is a good cause or not?
I mean stuff the drug companies want you to do have good cause written all over them, but why do I want to pay for there bandwith, there processor time and there upkeep if they are not willing to send a little something-something my way?
I don't know if this DC Tivo thing meets #2 and #3 yet. But it definetly passes #1 with flying colors.
And if you consider that all the people that take part in it are probably Tivo-geeks from the Tivo Community that want access to this code anyways, then who cares?
This is like the Seti thing. Are they gonna find Space Aliens? No. But the project itself, them bringing the DC format to the forfront of the networking world and what it could bring with it in the future is too exciting a prospect to pass up.
I encorage DC apps. I find it a fascinating feild. Let the Tivo-geeks have there fun.
Besides.... and I know you won't believe this. Tivo doesn't really mind. These particular geeks are a huge faction of the Tivo population. Tivo kinda has a hands off policy with them anyways.